Attacktive Directory (Active Directory)

So lets first do our nmap scan on the machine and see how many ports we have open so now that our nmap scan is done we can see we have and we can see there are a lot serices open and there are about 11 open under 10,000 and there is smb 445,139 and also krgbt for us

Now we can do a scan with enum4linux on smb port for this to see all the information about the SMB on this machine and we can see the domain name is THM-AD and also the name of the active directory is called spookysec.local and here we can see the invalid TLD name is local.

Now lets enumerate using the tool Ker brute and here we will use the userenum feature and see which users will give us a entry in to the system or are available to us and are legit .Here we can see the list of the users and one of these really stands out to us are the svc-admin and the backup user and because the svc-admin is a service administrator it might be possible for us to login to this without a password and use this account to get hashes .

Now here we can use a tool called GetNPUsers.py to basically give us a ticket which we can then crack the hash for and get the password this hash is of the type Kerberos 5 AS-REP etype 23 which is of mode 18200 in hashcat so lets now crack this

hashcat -a 0 -m 18200 hashes.txt passwordlist.txt

This wont take us that long to crack and please use the password list provided in the task.

Now lets enumerate the smb port again with the credentials we have and see what information can get at first lets just list all the files .

smclient -L \\\\<ip>\\ -U "sys-admin"

and this will first ask us about the password we just cracked and then list all the folders for us and here the one which really pops out for us is the backup one and now lets try to get into in the smb shell.

smbclient -L \\\\<ip>\\backup -U "sys-admin"

here we enter the password and then we can do ls and see the backup_credential.txt file and get it to our machine by doing get. and then lets cat out and see the contents of that file from the look of the hash i think its a base64 hash which we can crack using

cat backup_credentials.txt | base64 --decode

and then we will get the password for the backup account and thats greatt because now that we have the credentials with us we can use them to dump hashes using secretsdump.py. and this has a simple syntax

psexec.py -